File name:

GSI-6.2.2.58.exe

Full analysis: https://app.any.run/tasks/78f96db0-b436-49fd-bc74-6e745d00d99c
Verdict: Malicious activity
Analysis date: August 30, 2024, 17:47:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DAB22F79095DB0106942A014B693FAA4

SHA1:

ADF3DCCA477303A93D0B7A4D39CF828629EE5B82

SHA256:

0AC40EE341258E380D1837B0A4A60D6C2CE26DE910DE9EC2D409365940AB39CF

SSDEEP:

196608:AmtPzyreXF67G5sKPQ4t0UBEZmXkehHOZbH:AmQreXAqJ5tbym09RH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • GSI-6.2.2.58.exe (PID: 5000)

    • Executable content was dropped or overwritten

      • GSI-6.2.2.58.exe (PID: 5000)
      • GetSystemInfo.exe (PID: 4880)
      • GetSystemInfo.exe (PID: 1156)
      • GetSystemInfo.exe (PID: 3852)
      • 7z.exe (PID: 7068)
      • 7z.exe (PID: 2232)

    • Drops the executable file immediately after the start

      • GSI-6.2.2.58.exe (PID: 5000)
      • GetSystemInfo.exe (PID: 4880)
      • 7z.exe (PID: 2232)
      • GetSystemInfo.exe (PID: 1156)
      • GetSystemInfo.exe (PID: 3852)
      • 7z.exe (PID: 7068)

    • Drops 7-zip archiver for unpacking

      • GetSystemInfo.exe (PID: 4880)
      • GetSystemInfo.exe (PID: 1156)
      • GetSystemInfo.exe (PID: 3852)

    • Process drops legitimate windows executable

      • GSI-6.2.2.58.exe (PID: 5000)
      • 7z.exe (PID: 7068)

  • INFO

    • Checks supported languages

      • GetSystemInfo.exe (PID: 4880)
      • GSI-6.2.2.58.exe (PID: 5000)
      • 7z.exe (PID: 2232)
      • 7z.exe (PID: 6648)
      • GetSystemInfo.exe (PID: 3852)
      • GSI.exe (PID: 208)
      • 7z.exe (PID: 7068)
      • GetSystemInfo.exe (PID: 1156)

    • Create files in a temporary directory

      • GSI-6.2.2.58.exe (PID: 5000)
      • GetSystemInfo.exe (PID: 4880)
      • 7z.exe (PID: 6648)
      • GetSystemInfo.exe (PID: 3852)
      • 7z.exe (PID: 7068)
      • GSI.exe (PID: 208)
      • GetSystemInfo.exe (PID: 1156)
      • 7z.exe (PID: 2232)

    • Reads the computer name

      • GetSystemInfo.exe (PID: 4880)
      • 7z.exe (PID: 6648)
      • GetSystemInfo.exe (PID: 3852)
      • 7z.exe (PID: 7068)
      • GSI.exe (PID: 208)
      • 7z.exe (PID: 2232)
      • GetSystemInfo.exe (PID: 1156)

    • Reads the machine GUID from the registry

      • GSI.exe (PID: 208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:05 09:49:37+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 130048
InitializedDataSize: 14144000
UninitializedDataSize: -
EntryPoint: 0x4ab1
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 6.2.2.58
ProductVersionNumber: 6.2.2.58
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: AO Kaspersky Lab
FileDescription: Kaspersky Get System Info
FileVersion: 6.2.2.58
InternalName: GSI.exe
LegalCopyright: © 2018 AO Kaspersky Lab. All Rights Reserved.
LegalTrademarks: Registered trademarks and service marks are the property of their respective owners
OriginalFileName: GSI.exe
ProductName: Kaspersky Get System Info
ProductVersion: 6.2.2.58
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
12
Malicious processes
1
Suspicious processes
4

Behavior graph

Click at the process to see the details
start gsi-6.2.2.58.exe getsysteminfo.exe 7z.exe conhost.exe no specs getsysteminfo.exe 7z.exe no specs conhost.exe no specs getsysteminfo.exe 7z.exe conhost.exe no specs gsi.exe no specs gsi-6.2.2.58.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Users\admin\AppData\Local\Temp\x3uw.0\GSI.exe" /FW40C:\Users\admin\AppData\Local\Temp\x3uw.0\GSI.exeGSI-6.2.2.58.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
Kaspersky Get System Info
Version:
6.2.2.58
Modules
Images
c:\users\admin\appdata\local\temp\x3uw.0\gsi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe" /unpack /format=7z /archivePath="C:\Users\admin\AppData\Local\Temp\x3uw.0\Parser.7z" /destinationPath="C:\Users\admin\AppData\Local\Temp\x3uw.0"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe
GSI-6.2.2.58.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
Kaspersky Get System Information
Exit code:
0
Version:
6.2.2.58
Modules
Images
c:\users\admin\appdata\local\temp\x3uw.0\getsysteminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1168\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2232C:\Users\admin\AppData\Local\Temp\x3rk.0\7z.exe x "C:\Users\admin\AppData\Local\Temp\x3uw.0\un_s.exe.7z" -o"C:\Users\admin\AppData\Local\Temp\x3uw.0" -t7z -yC:\Users\admin\AppData\Local\Temp\x3rk.0\7z.exe
GetSystemInfo.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\x3rk.0\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3784"C:\Users\admin\Desktop\GSI-6.2.2.58.exe" C:\Users\admin\Desktop\GSI-6.2.2.58.exeexplorer.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
MEDIUM
Description:
Kaspersky Get System Info
Exit code:
3221226540
Version:
6.2.2.58
Modules
Images
c:\users\admin\desktop\gsi-6.2.2.58.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3852"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe" /unpack /format=7z /archivePath="C:\Users\admin\AppData\Local\Temp\x3uw.0\GSI.exe.7z" /destinationPath="C:\Users\admin\AppData\Local\Temp\x3uw.0"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe
GSI-6.2.2.58.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
Kaspersky Get System Information
Exit code:
0
Version:
6.2.2.58
Modules
Images
c:\users\admin\appdata\local\temp\x3uw.0\getsysteminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
4880"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe" /unpack /format=7z /archivePath="C:\Users\admin\AppData\Local\Temp\x3uw.0\un_s.exe.7z" /destinationPath="C:\Users\admin\AppData\Local\Temp\x3uw.0"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe
GSI-6.2.2.58.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
Kaspersky Get System Information
Exit code:
0
Version:
6.2.2.58
Modules
Images
c:\users\admin\appdata\local\temp\x3uw.0\getsysteminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
5000"C:\Users\admin\Desktop\GSI-6.2.2.58.exe" C:\Users\admin\Desktop\GSI-6.2.2.58.exe
explorer.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
Kaspersky Get System Info
Version:
6.2.2.58
Modules
Images
c:\users\admin\desktop\gsi-6.2.2.58.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
6560\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 303
Read events
1 303
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
10
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
5000GSI-6.2.2.58.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\avz.7z
MD5:
SHA256:
4880GetSystemInfo.exeC:\Users\admin\AppData\Local\Temp\x3rk.0\7z.exeexecutable
MD5:3EC640A8CE140CCAD436F8FF74DBE8DF
SHA256:FACD50B9956A4937663D63676C7A60AE8BB8AF38113753060C48BF68DCE521AB
1156GetSystemInfo.exeC:\Users\admin\AppData\Local\Temp\xw4.0\7z.exeexecutable
MD5:3EC640A8CE140CCAD436F8FF74DBE8DF
SHA256:FACD50B9956A4937663D63676C7A60AE8BB8AF38113753060C48BF68DCE521AB
5000GSI-6.2.2.58.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\un_s.exe.7zcompressed
MD5:314C34DED7446B8D02552D1D104C345D
SHA256:D1BCC0D419DD00191D3DE1841CBE4AFE415527C087A2DB913A01B61EAD958925
5000GSI-6.2.2.58.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.7zcompressed
MD5:73581CA990B0352915041467AD7E3BBC
SHA256:9134B0492B816296E06E3C47CE143345AEA036E61EC074D963B3FAC432787809
1156GetSystemInfo.exeC:\Users\admin\AppData\Local\Temp\xw4.0\7z.zipcompressed
MD5:AEFF0B53E94DD257177F9AD8BC3D1A18
SHA256:E548B67B049995B37A244AA272F9152FC8E4A5F42C24067226DC0F4081791838
5000GSI-6.2.2.58.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exeexecutable
MD5:7E792846BC780365066B7DF586205F91
SHA256:AB3735A062D3129FEA39C50AE29B6E1E786F7AB93DCF61E93EE611147B9733C2
5000GSI-6.2.2.58.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\LicAgreementEn.rtftext
MD5:3FD47C2EA86C43A49D00E83C1C4E7CB6
SHA256:C14AD0EAEFAD1E00705C6D83ADD3D02E2C50BE6092B5A1C56D37E27C845D55DB
5000GSI-6.2.2.58.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\LicAgreementDE.rtftext
MD5:6F78A110F286E6C62ACA59A0E0DE68D4
SHA256:092BD2CA37C152556AC7445460BF4F3E62D69E72431A31852A77B96BD0A3DBD9
22327z.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\un_s.exeexecutable
MD5:61D78BCD8D0904AFDDD4C33B52DA40BD
SHA256:676F722C421BDAD979CCEFCEB698DFE3539F4D9502BD7BEB0DC5B3147399E3DF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
5
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6020
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6416
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6020
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GSI-6.2.2.58.exe